Subscribe

When we use the Internet, we rely on the security of the certificate
authority system to ensure we are talking with the right people.
Unfortunately, the certificate authority system
is a bit of a mess.
One of the ways we're trying to clean up the mess
is Certificate Transparency,
an effort to put all SSL certificates issued by public certificate
authorities in public, verifiable, append-only logs.
Domain owners can monitor the logs for
unauthorized certificates, and web browsers can monitor for
compliance with the rules and take action against non-compliant certificate authorities.
After ramping up for the last four years, Certificate Transparency
is about to enter prime time: Google Chrome is requiring that all certificates issued on or after April 30, 2018 be logged.

But who is supposed to run these Certificate Transparency logs? Servers,
electricity, bandwidth, and system administrators cost money. Although
Google is spearheading Certificate Transparency and operates nine logs
that are recognized by Chrome, Certificate Transparency is supposed
to benefit everyone and it would be unhealthy for the Internet
if Google ran all the logs. For this reason, Chrome requires that
certificates be included in at least one log operated by an organization
besides Google.

So far, three organizations have stepped up and are operating Certificate
Transparency logs that are recognized by Chrome and are open to
certificates from any public certificate authority:

DigiCert
was the first non-Google organization to set up a log, and they
now operate several logs recognized by Chrome. Their DigiCert 2 log
accepts certificates from all public certificate authorities. They are
also applying for recognition of their Nessie and
Yeti log sets, which
accept certificates from all public certificate authorities and are each
split into five shards based on the expiration year of the certificate.
(They also operate DigiCert 1, which only accepts certificates from
some certificate authorities, and have three logs acquired
from Symantec which they are shutting down later this year.)

DigiCert is notable because they've written their own Certificate
Transparency log implementation instead of using an open source one.
This is helpful because it adds diversity to the ecosystem, which ensures
that a bug in one implementation won't take out all logs.

Comodo Certification Authority
(which is thankfully no longer owned by the blowhard who thinks he invented 90 day certificates) operates two logs
recognized by Chrome: Mammoth and Sabre. Both logs accept certificates
from all public certificate authorities, and run SuperDuper,
which is Google's original open source log implementation.

In addition to operating two open logs, Comodo CA runs crt.sh, a search
engine for certificates found in Certificate Transparency logs. crt.sh
has been an invaluable resource for the community when investigating
misbehavior by certificate authorities.

Cloudflare is the latest log operator
to join the ecosystem.
They operate the Nimbus log set, which accepts certificates from
all public certificate authorities and is split into four shards based on
the expiration year of the certificate. Nimbus runs Trillian, Google's
latest open source implementation, with some Cloudflare-specific
patches.

Cloudflare is unique because unlike DigiCert and Comodo CA, they are not a
certificate authority. DigiCert and Comodo have an obvious motivation
to run logs: they need somewhere to log their certificates so they will
be trusted by Chrome. Cloudflare doesn't have such a need,
but they've chosen to run logs anyways.

DigiCert, Comodo CA, and Cloudflare should be lauded for running
open Certificate Transparency logs. None of them have to do this.
Even DigiCert and Comodo could have adopted the strategy of their
competitors and waited for someone else to run a log that would accept
their certificates. Their willingness to run logs shows that they
are invested in improving the Internet for everyone's
benefit.

We need more companies to step up and join these three in running public
Certificate Transparency logs. How about some major tech companies?
Although we all benefit from the success
of Certificate Transparency, large tech companies benefit even more:
they are bigger targets than the rest of us, and
they have more to gain when the public feels secure conducting
business online. Major tech companies are also uniquely positioned to help,
since they already run large-scale Internet infrastructure which could be used to host
Certificate Transparency logs. And what kind of tech company doesn't want the
cred that comes from helping the Internet out?

If you're a big tech company that knows how to run large-scale infrastructure,
why aren't you running a Certificate Transparency log too?